They recommend to keep retrying and eventually the IP should get
greylisted. We've configured our Postfix to do this. All bounced
emails get retried a few times but Mimecast is not removing us off
their greylist.
If you will forgive me, I'm not sure you quite understand greylisting. As Mimecast's docs say, the identifier for a greylisting decision is a triplet:
- IP address of the host attempting the delivery
- Envelope sender address
- Envelope recipient address
When delivery is attempted of an email with a previously unseen triplet, greylisting should temporarily knock it back. When that particular email tries to be redelivered from the same server, it should be accepted, and that specific triplet gets written to a temporary whitelist.
Further emails with the same triplet arriving within the lifetime of the whitelist entry should be delivered. If you have evidence of any of this not happening, it would be of interest.
But further emails from other senders at your domain, or to different recipients, should quite properly be greylisted. Your server doesn't suddenly get carte blanche to send emails simply because it successfully delivered a single piece of mail.
Most recipients do not choose to greylist based on the existence of valid SPF and/or PTR records, nor your IP's presence on blacklists (or the lack thereof), so your accomplishments there—whilst likely to be of help further down the anti-spam chain—are probably not relevant to greylisting.
Greylisting is generally applied to all incoming email, though some implementations do exempt any email that arrives under cover of SMTP TLS, presumably reasoning that very few fire-and-forget bots can properly do TLS (yet).
